<!DOCTYPE html>
<html>

<head>
  <title>Quarkus - Using OpenID Connect to Protect Service Applications using Bearer Token Authorization</title>
  <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
  <script src="/assets/javascript/highlight.pack.js" type="text/javascript"></script>
  <META HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'none'; script-src 'self' 'unsafe-eval' 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' js.bizographics.com https://www.redhat.com assets.adobedtm.com jsonip.com https://ajax.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://use.fontawesome.com; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' *; media-src 'self' ; frame-src https://www.googletagmanager.com https://www.youtube.com; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;">
  <META HTTP-EQUIV='X-Frame-Options' CONTENT="DENY">
  <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">
  <META HTTP-EQUIV='X-Content-Type-Options' CONTENT="nosniff">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="Quarkus: Supersonic Subatomic Java">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:site" content="@QuarkusIO"> 
  <meta name="twitter:creator" content="@QuarkusIO">
  <meta property="og:url" content="https://quarkus.io/guides/security-openid-connect" />
  <meta property="og:title" content="Quarkus - Using OpenID Connect to Protect Service Applications using Bearer Token Authorization" />
  <meta property="og:description" content="Quarkus: Supersonic Subatomic Java" />
  <meta property="og:image" content="/assets/images/quarkus_card.png" />
  <link rel="canonical" href="https://quarkus.io/guides/security-openid-connect">
  <link rel="shortcut icon" type="image/png" href="/favicon.ico" >
  <link rel="stylesheet" href="https://quarkus.io/guides/stylesheet/config.css" />
  <link rel="stylesheet" href="/assets/css/main.css" />
  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
  <link rel="alternate" type="application/rss+xml"  href="https://quarkus.io/feed.xml" title="Quarkus">
  <script src="https://quarkus.io/assets/javascript/goan.js" type="text/javascript"></script>
  <script src="https://quarkus.io/assets/javascript/hl.js" type="text/javascript"></script>
</head>

<body class="guides">
  <!-- Google Tag Manager (noscript) -->
  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NJWS5L"
  height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->

  <div class="nav-wrapper">
  <div class="grid-wrapper">
    <div class="width-12-12">
      <input type="checkbox" id="checkbox" />
      <nav id="main-nav" class="main-nav">
  <div class="container">
    <div class="logo-wrapper">
      
        <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_600px_reverse.png" class="project-logo" title="Quarkus"></a>
      
    </div>
    <label class="nav-toggle" for="checkbox">
      <i class="fa fa-bars"></i>
    </label>
    <div id="menu" class="menu">
      <span>
        <a href="/get-started/" class="">Get Started</a>
      </span>
      <span>
        <a href="/guides/" class="active">Guides</a>
      </span>
      <span>
        <a href="/community/" class="">Community</a>
      </span>
      <span>
        <a href="/support/" class="">Support</a>
      </span>
      <span>
        <a href="/blog/" class="">Blog</a>
      </span>
      <span>
        <a href="https://code.quarkus.io" class="button-cta secondary white">Start Coding</a>
      </span>
    </div>
  </div>
      </nav>
    </div>
  </div>
</div>

  <div class="content">
    <div class="guide">
  <div class="width-12-12">
    <h1 class="text-caps">Quarkus - Using OpenID Connect to Protect Service Applications using Bearer Token Authorization</h1>
    <div class="hide-mobile toc"><ul class="sectlevel1">
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#architecture">Architecture</a></li>
<li><a href="#solution">Solution</a></li>
<li><a href="#creating-the-maven-project">Creating the Maven Project</a></li>
<li><a href="#writing-the-application">Writing the application</a>
<ul class="sectlevel2">
<li><a href="#accessing-jwt-claims">Accessing JWT claims</a></li>
</ul>
</li>
<li><a href="#configuring-the-application">Configuring the application</a>
<ul class="sectlevel2">
<li><a href="#configuring-using-the-application-properties-file">Configuring using the application.properties file</a></li>
<li><a href="#configuring-cors">Configuring CORS</a></li>
</ul>
</li>
<li><a href="#starting-and-configuring-the-keycloak-server">Starting and Configuring the Keycloak Server</a></li>
<li><a href="#running-and-using-the-application">Running and Using the Application</a>
<ul class="sectlevel2">
<li><a href="#running-in-developer-mode">Running in Developer Mode</a></li>
<li><a href="#running-in-jvm-mode">Running in JVM Mode</a></li>
<li><a href="#running-in-native-mode">Running in Native Mode</a></li>
</ul>
</li>
<li><a href="#testing-the-application">Testing the Application</a></li>
<li><a href="#token-claims-and-securityidentity-roles">Token Claims And SecurityIdentity Roles</a></li>
<li><a href="#oidc-single-page-applications">Single Page Applications</a></li>
<li><a href="#references">References</a></li>
</ul></div>
    <div>
      <div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This guide demonstrates how to use Quarkus OpenID Connect Extension to protect your JAX-RS applications using Bearer Token Authorization where Bearer Tokens are issued by OpenId Connect and OAuth 2.0 compliant Authorization Servers such as <a href="https://www.keycloak.org/about.html">Keycloak</a>.</p>
</div>
<div class="paragraph">
<p>Bearer Token Authorization is the process of authorizing HTTP requests based on the existence and validity of a Bearer Token which provides valuable information to determine the subject of the call as well as whether or not an HTTP resource can be accessed.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect-web-authentication">Using OpenID Connect to Protect Web Applications</a> guide if you need to authenticate and authorize the users using OpenId Connect Authorization Code Flow.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect-multitenancy">Using OpenID Connect Multi-Tenancy</a> guide how to support multiple tenants.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="prerequisites"><a class="anchor" href="#prerequisites"></a>Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To complete this guide, you need:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>less than 15 minutes</p>
</li>
<li>
<p>an IDE</p>
</li>
<li>
<p>JDK 1.8+ installed with <code>JAVA_HOME</code> configured appropriately</p>
</li>
<li>
<p>Apache Maven 3.6.2+</p>
</li>
<li>
<p><a href="https://stedolan.github.io/jq/">jq tool</a></p>
</li>
<li>
<p>Docker</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="architecture"><a class="anchor" href="#architecture"></a>Architecture</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In this example, we build a very simple microservice which offers three endpoints:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>/api/users/me</code></p>
</li>
<li>
<p><code>/api/admin</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>These endpoints are protected and can only be accessed if a client is sending a bearer token along with the request, which must be valid (e.g.: signature, expiration and audience) and trusted by the microservice.</p>
</div>
<div class="paragraph">
<p>The bearer token is issued by a Keycloak Server and represents the subject to which the token was issued for. For being an OAuth 2.0 Authorization Server, the token also references the client acting on behalf of the user.</p>
</div>
<div class="paragraph">
<p>The <code>/api/users/me</code> endpoint can be accessed by any user with a valid token. As a response, it returns a JSON document with details about the user where these details are obtained from the information carried on the token.</p>
</div>
<div class="paragraph">
<p>The <code>/api/admin</code> endpoint is protected with RBAC (Role-Based Access Control) where only users granted with the <code>admin</code> role can access. At this endpoint, we use the <code>@RolesAllowed</code> annotation to declaratively enforce the access constraint.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="solution"><a class="anchor" href="#solution"></a>Solution</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We recommend that you follow the instructions in the next sections and create the application step by step.
However, you can go right to the completed example.</p>
</div>
<div class="paragraph">
<p>Clone the Git repository: <code>git clone <a href="https://github.com/quarkusio/quarkus-quickstarts.git" class="bare">https://github.com/quarkusio/quarkus-quickstarts.git</a></code>, or download an <a href="https://github.com/quarkusio/quarkus-quickstarts/archive/master.zip">archive</a>.</p>
</div>
<div class="paragraph">
<p>The solution is located in the <code>security-openid-connect-quickstart</code> <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-quickstart">directory</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="creating-the-maven-project"><a class="anchor" href="#creating-the-maven-project"></a>Creating the Maven Project</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, we need a new project. Create a new project with the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs">mvn io.quarkus:quarkus-maven-plugin:1.7.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=security-openid-connect-quickstart \
    -Dextensions="oidc, resteasy-jsonb"
cd security-openid-connect-quickstart</code></pre>
</div>
</div>
<div class="paragraph">
<p>This command generates a Maven project, importing the <code>keycloak</code> extension
which is an implementation of a Keycloak Adapter for Quarkus applications and provides all the necessary capabilities to integrate with a Keycloak Server and perform bearer token authorization.</p>
</div>
<div class="paragraph">
<p>If you already have your Quarkus project configured, you can add the <code>oidc</code> extension
to your project by running the following command in your project base directory:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw quarkus:add-extension -Dextensions="oidc"</code></pre>
</div>
</div>
<div class="paragraph">
<p>This will add the following to your <code>pom.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="xml" class="language-xml hljs">&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-oidc&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="writing-the-application"><a class="anchor" href="#writing-the-application"></a>Writing the application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Let&#8217;s start by implementing the <code>/api/users/me</code> endpoint. As you can see from the source code below it is just a regular JAX-RS resource:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.security.openid.connect;

import javax.annotation.security.RolesAllowed;
import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;

import org.jboss.resteasy.annotations.cache.NoCache;
import io.quarkus.security.identity.SecurityIdentity;

@Path("/api/users")
public class UsersResource {

    @Inject
    SecurityIdentity securityIdentity;

    @GET
    @Path("/me")
    @RolesAllowed("user")
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
    public User me() {
        return new User(securityIdentity);
    }

    public static class User {

        private final String userName;

        User(SecurityIdentity securityIdentity) {
            this.userName = securityIdentity.getPrincipal().getName();
        }

        public String getUserName() {
            return userName;
        }
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The source code for the <code>/api/admin</code> endpoint is also very simple. The main difference here is that we are using a <code>@RolesAllowed</code> annotation to make sure that only users granted with the <code>admin</code> role can access the endpoint:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.security.openid.connect;

import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;

@Path("/api/admin")
public class AdminResource {

    @GET
    @RolesAllowed("admin")
    @Produces(MediaType.TEXT_PLAIN)
    public String admin() {
        return "granted";
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Injection of the <code>SecurityIdentity</code> is supported in both <code>@RequestScoped</code> and <code>@ApplicationScoped</code> contexts.</p>
</div>
<div class="sect2">
<h3 id="accessing-jwt-claims"><a class="anchor" href="#accessing-jwt-claims"></a>Accessing JWT claims</h3>
<div class="paragraph">
<p>If you need to access <code>JsonWebToken</code> claims, you may simply inject the token itself:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.security.openid.connect;

import org.eclipse.microprofile.jwt.JsonWebToken;

import javax.annotation.security.RolesAllowed;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;

@Path("/api/admin")
public class AdminResource {

    @Inject
    JsonWebToken jwt;

    @GET
    @RolesAllowed("admin")
    @Produces(MediaType.TEXT_PLAIN)
    public String admin() {
        return "Access for subject " + jwt.getSubject() + " is granted";
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Injection of the <code>JsonWebToken</code> is supported in both <code>@RequestScoped</code> and <code>@ApplicationScoped</code> contexts.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-the-application"><a class="anchor" href="#configuring-the-application"></a>Configuring the application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The OpenID Connect extension allows you to define the adapter configuration using the <code>application.properties</code> file which should be located at the <code>src/main/resources</code> directory.</p>
</div>
<div class="sect2">
<h3 id="configuring-using-the-application-properties-file"><a class="anchor" href="#configuring-using-the-application-properties-file"></a>Configuring using the application.properties file</h3>
<div class="paragraph configuration-legend">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> Configuration property fixed at build time - All other configuration properties are overridable at runtime</p>
</div>
<table class="tableblock frame-all grid-all stretch configuration-reference searchable">
<colgroup>
<col style="width: 80%;">
<col style="width: 10%;">
<col style="width: 10%;">
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_configuration"></a><a href="#quarkus-oidc_configuration">Configuration property</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-oidc_quarkus.oidc.enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.enabled">quarkus.oidc.enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If the OIDC extension is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-id">quarkus.oidc.tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-enabled">quarkus.oidc.tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.application-type">quarkus.oidc.application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.auth-server-url">quarkus.oidc.auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.discovery-enabled">quarkus.oidc.discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authorization-path">quarkus.oidc.authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.token-path">quarkus.oidc.token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.user-info-path">quarkus.oidc.user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.introspection-path">quarkus.oidc.introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.jwks-path">quarkus.oidc.jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.end-session-path">quarkus.oidc.end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.connection-delay">quarkus.oidc.connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.public-key">quarkus.oidc.public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.client-id">quarkus.oidc.client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-path">quarkus.oidc.roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-separator">quarkus.oidc.roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.source">quarkus.oidc.roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.issuer">quarkus.oidc.token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.audience">quarkus.oidc.token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.token-type">quarkus.oidc.token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.lifespan-grace">quarkus.oidc.token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.principal-claim">quarkus.oidc.token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.refresh-expired">quarkus.oidc.token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval">quarkus.oidc.token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.secret">quarkus.oidc.credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.value">quarkus.oidc.credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.method">quarkus.oidc.credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.secret">quarkus.oidc.credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan">quarkus.oidc.credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.host">quarkus.oidc.proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.port">quarkus.oidc.proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.username">quarkus.oidc.proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.password">quarkus.oidc.proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.redirect-path">quarkus.oidc.authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect">quarkus.oidc.authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters">quarkus.oidc.authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.verify-access-token">quarkus.oidc.authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme">quarkus.oidc.authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.scopes">quarkus.oidc.authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.cookie-path">quarkus.oidc.authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.user-info-required">quarkus.oidc.authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect">quarkus.oidc.authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.tls.verification">quarkus.oidc.tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.path">quarkus.oidc.logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.post-logout-path">quarkus.oidc.logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params">quarkus.oidc.authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_quarkus.oidc.named-tenants"></a><a href="#quarkus-oidc_quarkus.oidc.named-tenants">Additional named tenants</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-id">quarkus.oidc."tenant".tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled">quarkus.oidc."tenant".tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.application-type">quarkus.oidc."tenant".application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url">quarkus.oidc."tenant".auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled">quarkus.oidc."tenant".discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authorization-path">quarkus.oidc."tenant".authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token-path">quarkus.oidc."tenant".token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.user-info-path">quarkus.oidc."tenant".user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.introspection-path">quarkus.oidc."tenant".introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.jwks-path">quarkus.oidc."tenant".jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.end-session-path">quarkus.oidc."tenant".end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.connection-delay">quarkus.oidc."tenant".connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.public-key">quarkus.oidc."tenant".public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.client-id">quarkus.oidc."tenant".client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path">quarkus.oidc."tenant".roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator">quarkus.oidc."tenant".roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.source">quarkus.oidc."tenant".roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.issuer">quarkus.oidc."tenant".token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.audience">quarkus.oidc."tenant".token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.token-type">quarkus.oidc."tenant".token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace">quarkus.oidc."tenant".token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim">quarkus.oidc."tenant".token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired">quarkus.oidc."tenant".token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval">quarkus.oidc."tenant".token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret">quarkus.oidc."tenant".credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value">quarkus.oidc."tenant".credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method">quarkus.oidc."tenant".credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret">quarkus.oidc."tenant".credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan">quarkus.oidc."tenant".credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.host">quarkus.oidc."tenant".proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.port">quarkus.oidc."tenant".proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.username">quarkus.oidc."tenant".proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.password">quarkus.oidc."tenant".proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path">quarkus.oidc."tenant".authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect">quarkus.oidc."tenant".authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters">quarkus.oidc."tenant".authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token">quarkus.oidc."tenant".authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme">quarkus.oidc."tenant".authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes">quarkus.oidc."tenant".authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params">quarkus.oidc."tenant".authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path">quarkus.oidc."tenant".authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required">quarkus.oidc."tenant".authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect">quarkus.oidc."tenant".authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tls.verification">quarkus.oidc."tenant".tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.path">quarkus.oidc."tenant".logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path">quarkus.oidc."tenant".logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
</tbody>
</table>
<div id="duration-note-anchor" class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">About the Duration format</div>
<div class="paragraph">
<p>The format for durations uses the standard <code>java.time.Duration</code> format.
You can learn more about it in the <a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-">Duration#parse() javadoc</a>.</p>
</div>
<div class="paragraph">
<p>You can also provide duration values starting with a number.
In this case, if the value consists only of a number, the converter treats the value as seconds.
Otherwise, <code>PT</code> is implicitly prepended to the value to obtain a standard <code>java.time.Duration</code> format.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>Example configuration:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs">quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=backend-service</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="configuring-cors"><a class="anchor" href="#configuring-cors"></a>Configuring CORS</h3>
<div class="paragraph">
<p>If you plan to consume this application from another application running on a different domain, you will need to configure CORS (Cross-Origin Resource Sharing). Please read the <a href="http-reference#cors-filter">HTTP CORS documentation</a> for more details.</p>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="starting-and-configuring-the-keycloak-server"><a class="anchor" href="#starting-and-configuring-the-keycloak-server"></a>Starting and Configuring the Keycloak Server</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To start a Keycloak Server you can use Docker and just run the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">docker run --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8080 {keycloak-docker-image}</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should be able to access your Keycloak Server at <a href="http://localhost:8180/auth">localhost:8180/auth</a>.</p>
</div>
<div class="paragraph">
<p>Log in as the <code>admin</code> user to access the Keycloak Administration Console. Username should be <code>admin</code> and password <code>admin</code>.</p>
</div>
<div class="paragraph">
<p>Import the <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-quickstart/config/quarkus-realm.json">realm configuration file</a> to create a new realm. For more details, see the Keycloak documentation about how to <a href="https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm">create a new realm</a>.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
If you want to use the Keycloak Admin Client to configure your server from your application you need to include the
<code>quarkus-keycloak-admin-client</code> extension.
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="running-and-using-the-application"><a class="anchor" href="#running-and-using-the-application"></a>Running and Using the Application</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="running-in-developer-mode"><a class="anchor" href="#running-in-developer-mode"></a>Running in Developer Mode</h3>
<div class="paragraph">
<p>To run the microservice in dev mode, use <code>./mvnw clean compile quarkus:dev</code>.</p>
</div>
</div>
<div class="sect2">
<h3 id="running-in-jvm-mode"><a class="anchor" href="#running-in-jvm-mode"></a>Running in JVM Mode</h3>
<div class="paragraph">
<p>When you&#8217;re done playing with "dev-mode" you can run it as a standard Java application.</p>
</div>
<div class="paragraph">
<p>First compile it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package</code></pre>
</div>
</div>
<div class="paragraph">
<p>Then run it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">java -jar ./target/security-openid-connect-quickstart-runner.jar</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="running-in-native-mode"><a class="anchor" href="#running-in-native-mode"></a>Running in Native Mode</h3>
<div class="paragraph">
<p>This same demo can be compiled into native code: no modifications required.</p>
</div>
<div class="paragraph">
<p>This implies that you no longer need to install a JVM on your
production environment, as the runtime technology is included in
the produced binary, and optimized to run with minimal resource overhead.</p>
</div>
<div class="paragraph">
<p>Compilation will take a bit longer, so this step is disabled by default;
let&#8217;s build again by enabling the <code>native</code> profile:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package -Pnative</code></pre>
</div>
</div>
<div class="paragraph">
<p>After getting a cup of coffee, you&#8217;ll be able to run this binary directly:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./target/security-openid-connect-quickstart-runner</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="testing-the-application"><a class="anchor" href="#testing-the-application"></a>Testing the Application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The application is using bearer token authorization and the first
thing to do is obtain an access token from the Keycloak Server in
order to access the application resources:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">export access_token=$(\
    curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \
    --user backend-service:secret \
    -H 'content-type: application/x-www-form-urlencoded' \
    -d 'username=alice&amp;password=alice&amp;grant_type=password' | jq --raw-output '.access_token' \
 )</code></pre>
</div>
</div>
<div class="paragraph">
<p>The example above obtains an access token for user <code>alice</code>.</p>
</div>
<div class="paragraph">
<p>Any user is allowed to access the
<code><a href="http://localhost:8080/api/users/me" class="bare">http://localhost:8080/api/users/me</a></code> endpoint
which basically returns a JSON payload with details about the user.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">curl -v -X GET \
  http://localhost:8080/api/users/me \
  -H "Authorization: Bearer "$access_token</code></pre>
</div>
</div>
<div class="paragraph">
<p>The <code><a href="http://localhost:8080/api/admin" class="bare">http://localhost:8080/api/admin</a></code> endpoint can only be accessed by users with the <code>admin</code> role. If you try to access this endpoint with the
 previously issued access token, you should get a <code>403</code> response
 from the server.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">curl -v -X GET \
   http://localhost:8080/api/admin \
   -H "Authorization: Bearer "$access_token</code></pre>
</div>
</div>
<div class="paragraph">
<p>In order to access the admin endpoint you should obtain a token for the <code>admin</code> user:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">export access_token=$(\
    curl -X POST http://localhost:8180/auth/realms/quarkus/protocol/openid-connect/token \
    --user backend-service:secret \
    -H 'content-type: application/x-www-form-urlencoded' \
    -d 'username=admin&amp;password=admin&amp;grant_type=password' | jq --raw-output '.access_token' \
 )</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="token-claims-and-securityidentity-roles"><a class="anchor" href="#token-claims-and-securityidentity-roles"></a>Token Claims And SecurityIdentity Roles</h2>
<div class="sectionbody">
<div class="paragraph">
<p>SecurityIdentity roles can be mapped from the verified JWT access tokens as follows:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>If <code>quarkus.oidc.roles.role-claim-path</code> property is set and a matching array or string claim is found then the roles are extracted from this claim.
For example, <code>customroles</code>, <code>customroles/array</code>, <code>scope</code>, <code>"http://namespace-qualified-custom-claim"/roles</code>, <code>"http://namespace-qualified-roles"</code>, etc.</p>
</li>
<li>
<p>If <code>groups</code> claim is available then its value is used</p>
</li>
<li>
<p>If <code>realm_access/roles</code> or <code>resource_access/client_id/roles</code> (where <code>client_id</code> is the value of the <code>quarkus.oidc.client-id</code> property) claim is available then its value is used.
This check supports the tokens issued by Keycloak</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>If the token is opaque (binary) then a <code>scope</code> property from the remote token introspection response will be used.</p>
</div>
<div class="paragraph">
<p>Additionally a custom <code>SecurityIdentityAugmentor</code> can also be used to add the roles as documented <a href="security#security-identity-customization">here</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="oidc-single-page-applications"><a class="anchor" href="#oidc-single-page-applications"></a>Single Page Applications</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Single Page Application (SPA) typically uses <code>XMLHttpRequest</code>(XHR) and the Java Script utility code provided by the OpenId Connect provider to acquire a bearer token and use it
to access Quarkus <code>service</code> applications.</p>
</div>
<div class="paragraph">
<p>For example, here is how you can use <code>keycloak.js</code> to authenticate the users and refresh the expired tokens from the SPA:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="html" class="language-html hljs">&lt;html&gt;
&lt;head&gt;
    &lt;title&gt;keycloak-spa&lt;/title&gt;
    &lt;script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"&gt;&lt;/script&gt;
    &lt;script src="http://localhost:8180/auth/js/keycloak.js"&gt;&lt;/script&gt;
    &lt;script&gt;
        var keycloak = new Keycloak();
        keycloak.init({onLoad: 'login-required'}).success(function () {
            console.log('User is now authenticated.');
        }).error(function () {
            window.location.reload();
        });
        function makeAjaxRequest() {
            axios.get("/api/hello", {
                headers: {
                    'Authorization': 'Bearer ' + keycloak.token
                }
            })
            .then( function (response) {
                console.log("Response: ", response.status);
            }).catch(function (error) {
                console.log('refreshing');
                keycloak.updateToken(5).then(function () {
                    console.log('Token refreshed');
                }).catch(function () {
                    console.log('Failed to refresh token');
                    window.location.reload();
                });
            });
    }
    &lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
    &lt;button onclick="makeAjaxRequest()"&gt;Request&lt;/button&gt;
&lt;/body&gt;
&lt;/html&gt;</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="references"><a class="anchor" href="#references"></a>References</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://www.keycloak.org/documentation.html">Keycloak Documentation</a></p>
</li>
<li>
<p><a href="https://openid.net/connect/">OpenID Connect</a></p>
</li>
<li>
<p><a href="https://tools.ietf.org/html/rfc7519">JSON Web Token</a></p>
</li>
</ul>
</div>
</div>
</div>
    </div>
  </div>
</div>

  </div>

  <div class="content project-footer">
  <div class="footer-section">
    <div class="logo-wrapper">
      <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_reverse.svg" class="project-logo" title="Quarkus"></a>
    </div>
  </div>
  <div class="grid-wrapper">
    <p class="grid__item width-3-12">Quarkus is open. All dependencies of this project are available under the <a href='https://www.apache.org/licenses/LICENSE-2.0' target='_blank'>Apache Software License 2.0</a> or compatible license.<br /><br />This website was built with <a href='https://jekyllrb.com/' target='_blank'>Jekyll</a>, is hosted on <a href='https://pages.github.com/' target='_blank'>Github Pages</a> and is completely open source. If you want to make it better, <a href='https://github.com/quarkusio/quarkusio.github.io' target='_blank'>fork the website</a> and show us what you’ve got.</p>

    
      <div class="width-1-12 project-links">
        <span>Navigation</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="/">Home</a></li>
          
            <li><a href="/guides">Guides</a></li>
          
            <li><a href="/community/#contributing">Contribute</a></li>
          
            <li><a href="/faq">FAQ</a></li>
          
            <li><a href="/get-started">Get Started</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Contribute</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://twitter.com/quarkusio">Follow us</a></li>
          
            <li><a href="https://github.com/quarkusio">GitHub</a></li>
          
            <li><a href="/security">Security&nbsp;policy</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Get Help</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://groups.google.com/forum/#!forum/quarkus-dev">Forums</a></li>
          
            <li><a href="https://quarkusio.zulipchat.com">Chatroom</a></li>
          
        </ul>
      </div>
    

    
      <div class="width-3-12 more-links">
        <span>Quarkus is made of community projects</span>
        <ul class="footer-links">
          
            <li><a href="https://vertx.io/" target="_blank">Eclipse Vert.x</a></li>
          
            <li><a href="https://microprofile.io" target="_blank">Eclipse MicroProfile</a></li>
          
            <li><a href="https://hibernate.org" target="_blank">Hibernate</a></li>
          
            <li><a href="https://netty.io" target="_blank">Netty</a></li>
          
            <li><a href="https://resteasy.github.io" target="_blank">RESTEasy</a></li>
          
            <li><a href="https://camel.apache.org" target="_blank">Apache Camel</a></li>
          
            <li><a href="https://code.quarkus.io/" target="_blank">And many more...</a></li>
          
        </ul>
      </div>
    
  </div>
</div>
  <div class="content redhat-footer">
  <div class="grid-wrapper">
    <span class="licence">
      <i class="fab fa-creative-commons"></i><i class="fab fa-creative-commons-by"></i> <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank">CC by 3.0</a> | <a href="https://www.redhat.com/en/about/privacy-policy">Privacy Policy</a>
    </span>
    <span class="redhat">
      Sponsored by
    </span>
    <span class="redhat-logo">
      <a href="https://www.redhat.com/" target="_blank"><img src="/assets/images/redhat_reversed.svg"></a>
    </span>
  </div>
</div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
  <script type="text/javascript" src="/assets/javascript/mobile-nav.js"></script>
  <script type="text/javascript" src="/assets/javascript/scroll-down.js"></script>
  <script src="/assets/javascript/satellite.js" type="text/javascript"></script>
  <script src="https://quarkus.io/guides/javascript/config.js" type="text/javascript"></script>
  <script src="/assets/javascript/search-filter.js" type="text/javascript"></script>
  <script src="/assets/javascript/back-to-top.js" type="text/javascript"></script>
</body>

</html>
